[openssl-dev] [openssl.org #4271] Enhancement Request: Support TCP Fast Open

[Salz, Rich via RT]

TFO is interesting because it lets UDP-style attacks happen at the TCP level.  Normally you can't do a TCP attack unless you have a valid client IP address.

Imagine connecting once and then sending the syncookie to the botnet.

This might be outside the scope of things OpenSSL cares about and I know recent Linux kernels have some mitigation capabilities.  Also note that the server side should just work with no changes, it's on a TFO client that needs API changes.